Risk management, strategy and analysis from DeloitteCONTENT FROM OUR SPONSORPlease note: The Wall Street Journal News Department was not involved in the creation of the content below.

Text Size

Regular

Medium

Large

Google+

Print

New COSO Framework May Mean Renewed Compliance Effort

Much has changed in the business, regulatory and operating environment since the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released its original Internal Control—Integrated Framework in 1992. COSO updated the framework in May 2013, and while the update retains the five initial components of internal control, it introduced 17 principles associated with those components, which provide additional guidance to help assess whether the principles are present and functioning. The updated framework continues its aim to assist organizations in their efforts to develop and maintain systems of internal control.

Carol Larson, Partner, Deloitte & Touche LLP

COSO will continue to make the 1992 framework available until December 15, 2014; at that time it will be superseded by the 2013 version. Therefore, companies applying and referencing COSO’s internal control framework for purposes of complying with Section 404 of the Sarbanes-Oxley Act of 2002 (SOX 404) should consider COSO’s transition guidance.

The SEC has indicated that “the longer issuers continue to use the 1992 framework, the more likely they are to receive questions from the staff about whether the issuer’s use of the 1992 framework satisfies the SEC’s requirement to use a suitable, recognized framework (particularly after December 15, 2014)…”.* Banks and capital markets firms, in particular, may want to consider making the transition sooner rather than later, given their complex regulatory environment.

“While many financial institutions have recognized the need to assess their current program against the 2013 COSO framework, it’s also important they allow adequate time to respond to potential gaps,” says Carol Larson, partner, Deloitte & Touche LLP. “And it is important to factor in not only the time needed to implement changes and enhancements to their existing internal control environment but also the time needed for their external auditors to audit new/revised controls prior to year end,” she adds.

Nitish Idnani, Principal, Deloitte & Touche LLP

The process to evaluate compliance with the 2013 COSO framework will require effort beyond a mere mapping exercise of existing processes and controls to the 17 principles. “There may be more work to do regarding coordinating internal controls and risk principles,” notes Nitish Idnani, principal, Enterprise Risk Services, Deloitte & Touche LLP, “especially by banking and capital markets firms.”

Six Areas of Focus for the Banking and Capital Markets Sectors

Following are six insights for finance and risk executives in the banking and capital markets sectors charged with guiding their organizations through the new internal control landscape.

1. Application of 2013 COSO Framework

The updated framework retains three distinct, but overlapping categories of objectives—operations, reporting and compliance. It also reiterates the opportunity to expand the framework’s application beyond its traditional adoption for external financial reporting to include operations and compliance.

Sandy Herrygers, Partner, Deloitte & Touche LLP

“While the majority of banking and capital markets organizations have used the COSO framework to design their SOX 404 compliance system of internal control over financial reporting, many are taking a broader view of the updated framework for other purposes,” says Mr. Idnani. “The scrutiny of regulators and other third parties has intensified the need for reporting to be the end-product of a well-controlled process in which the effectiveness of controls is periodically assessed,” says Sandy Herrygers, partner, Enterprise Risk Services, Deloitte & Touche LLP. As a result, many organizations are applying the framework principles to design quality assurance review functions over other areas, including operational and regulatory reporting.

2. Consideration of Existing Enterprise-wide Controls Programs

The 2013 framework re-establishes the control environment as the basis for carrying out internal control responsibilities across the organization. It also emphasizes the role of the board and senior management in setting the tone regarding the importance of internal control and expectations concerning standards of conduct (principles 1-5).

“Many large financial institutions likely have several existing governance programs and monitoring activities to help them comply with the 2013 framework,” notes Ms. Herrygers. “However, in many cases these processes may not have previously been considered part of the core SOX 404 program. Consequently, management may want to create an inventory of the processes and design formal assessments as part of the SOX 404 program to demonstrate that they are present and functioning,” she adds.

3. Dynamic Risk Assessment Process

The 2013 framework calls for companies to have a dynamic risk assessment program (principles 6-9) that considers significant changes in business operations and adapts to internal, external and emerging risks. Such a program may require input from business units, and appropriate levels of management should be formally captured as part of the risk assessment and scoping process, including the initial and continuous assessment of:

Fraud risk

Complex non-routine processes

Processes requiring the hand-off of data between departments

Manual processes or those dependent on end-user computing tools

Potential changes in the internal control environment

Emerging risks and issues at peer organizations and the industry

The risk assessment should be periodically updated to capture changes that may impact the qualitative assessment. For example, some banking and capital market firms coordinate between the risk teams embedded in business lines and the financial reporting risk and controls groups to discuss changes in risk profile, emerging trends and the external environment.

4.Outside Service Providers (OSPs)

The nature and extent of using OSPs today compared to when the original COSO framework was written is exponentially greater and different. Because of the reliance that financial institutions place on OSPs, it is critical to have controls to monitor that OSPs are performing the expected role in the expected manner. In fact, the 2013 framework incorporates concepts related to the use of OSPs in 12 of the 17 principles and emphasizes the inclusion of risks related to transactions processed by OSPs within the organization’s risk assessment. Such a program may feature, for example, including OSPs within the organizations’ ethics and integrity programs—extending the tone at the top beyond the walls of the organization.

5. Fraud Risk Factors and Fraud Risk Assessment

The 2013 framework has been updated to specifically include concepts related to fraud risk (principle 8), and therefore organizations should consider the various types of fraud (such as misappropriation of funds and fraudulent financial reporting) as part of its assessment. The assessment should include consideration of fraud risk factors, such as incentives and pressure, opportunities, attitude and rationalization.

A reassessment of fraud risks and their potential impact on a material misstatement of the financial statements also may be required. “Such reassessments could lead to changes in controls that are considered relevant to external financial reporting,” says Ms. Larson. “In addition, several organizations have extended code-of-conduct requirements, including anonymous disclosure of impropriety to OSPs and vendors that are obligated to acknowledge such requirements,” she adds.

6. Information to Carry Out Internal Control Responsibilities

Recognizing the evolution of information systems and the increased dependency on system-generated data on the performance of internal controls, the 2013 framework includes IT considerations in 14 out of 17 principles, notably that the information produced by the organization is complete, accurate, current and verifiable.

Many financial statement disclosures require significant involvement and input from the business, product control, valuation, tax and finance departments. To support the complete flow of transactions and ensure that all suppliers and users of information understand the requirements, organizations may want to consider doing the following:

Inventory complex processes, including those related to OSPs.

Document the end-to-end process and expected flow of information.

Identify the relevant controls that address the quality of information generated and used in the performance of key controls supporting the financial statement line item or footnote disclosure.

Clarify roles and responsibilities that clearly articulate and confirm internal control objectives.

“Overall, banking and capital markets organizations should anticipate the need for a potential increase in compliance effort with respect to implementing the 2013 COSO framework,” says Mr. Idnani. “Management should begin its readiness assessments with urgency and expect significant discussion with its audit committee with periodic communication on progress throughout the year.”

Related Deloitte Insights

As chief risk officer of American Express, Paul Fabara is remaking compliance and risk management by driving the use of technology and data analysis, including development of an early-warning system to detect potential risks. He discusses how he has worked with the business units and board to carve out a new role for compliance and risk and how the functions have ramped up to contribute to decision-making at the operational and strategic levels, with Ash Raghavan, principal, Deloitte Risk and Financial Advisory, Deloitte & Touche LLP.

The recently passed tax legislation is expected to have significant and immediate financial reporting impacts on organizations. “The enactment of the new tax law in the closing days of 2017 presented a major challenge for publicly traded companies that are required to account for and disclose the effects of a change in tax law in the period of enactment,” notes Steve Kimble, chairman and CEO, Deloitte Tax LLP. Learn about the tax law changes that could have a significant financial statement impact, including in the areas of deferred tax assets and liabilities, recognition of a foreign subsidiary liability and tax credits.

The tax reform legislation introduces new rules aimed at providing greater parity between the tax rates applicable to owners of passthrough entities and corporations by providing a 20% deduction for qualified business income. The potential tax scenario for passthrough entities depends on the operations of the organization, the make-up of its ownership and where it does business. Implementing the new legislation will require a focus on business considerations, as well as tax issues.

Views & Analysis

Although board seats don’t become available all that often, as more organizations broaden their definition of diversity the pool of potential candidates is expanding. What does it take to land such a spot? Industry and international experience, a knowledge of risk and technology issues, and personal traits that range from intellectual curiosity to unassailable integrity are just some of the qualities and qualifications that matter. Learn how to assess your viability and what steps you might take to enhance your appeal to search committees.

Continued uncertainty about the economy and increased regulation across several industries have required a more informed and efficient use of capital. Working with management, the board of directors can play a fundamental role in the capital allocation process through its oversight function, including participating in strategy development, examining risks, comparing strategy to results and focusing on key investment terms. Understand how boards can help guide the capital allocation process by challenging business plans and strategy, and reviewing capital allocation alternatives, among other efforts.

As proxy season approaches, several governance issues and proposals are likely to emerge, reflecting shareholders’ increased attention to how companies’ stances on governance matters can impact shareholder value, according to Carol Schumacher, who has held roles as investor relations (IR) officer and corporate affairs officer at a Fortune 10. She discusses shareholders’ expectations for the governance information that management provides, and what IR can do to help companies respond, in a conversation with Sanford Cockrell III, U.S. national managing partner, CFO Program, Deloitte LLP.

Editor's Choice

Boards and C-suite executives overwhelmingly see risk as having an important role in value creation, but just 17% of respondents say they are actively using risk to drive returns, according to a new global survey from Deloitte. The survey also found that senior stakeholders want chief risk officers to spend significantly more time playing the strategist role, with a majority of respondents saying their risk officers should participate more in setting the strategic direction of the company and aligning risk management strategies accordingly.

Traditionally, internal audit (IA) has focused on providing assurance with respect to known risks and the effectiveness of controls in mitigating those risks. Regulators, however, are increasingly interested in an organization’s ability to identify blind spots and other vulnerabilities that may undermine the integrity of the risk management environment, including the risk of misconduct. IA functions can play a pivotal role by substantively testing culture and identifying potential risk-related outliers that may not be visible via other means, such as supervisory frameworks, escalations, compliance assessment and testing, and previous audits.

Identifying and managing strategic risks can be a difficult task. To add to the challenge, many companies have traditionally separated their risk and strategy functions and think of risk as more of a compliance responsibility rather than a dynamic tool for value creation, business performance management and growth. However, companies that align strategy and risk can be better served to allow for a process of “strategic resiliency,” which involves anticipating, knowing and acting on risks when introducing or executing new strategies as a way of increasing the chances of success in spite of uncertainty.

About Deloitte Insights

Deloitte’s Insights for C-suite executives and board members provide information and resources to help address the challenges of managing risk for both value creation and protection, as well as increasing compliance requirements.